Nowadays, Wireless Internet Service Providers (WISP) play an important role in providing fixed or mobile wireless services to the customers. Using Wi-Fi or other wireless methods, WISPs provide Internet access in public places such as airports, hotels, restaurants, shopping centers, etc. Wi-Fi is a certification trademark of the Wi-Fi Alliance for products based on the IEEE (Institute of Electrical and Electronics Engineers) 802.11 standards. For the implementation of a public Wireless Internet service, WISPs can use mobile WiMAX (Worldwide Inter-operability for Microwave Access, e.g. IEEE 802.16 standard) for example based on EAP authentication (IETF RFC 3748), WLANs based on the IEEE 802.1x standard or WLANs based on WISPr and UAM (Universal Access Method) with the IEEE 802.11 standard to deliver Internet access to customers all over the world. UAM is a method to allow a subscriber access to a WLAN network, as e.g a Wi-Fi network, whereby only an Internet browser is used. The Internet browser opens with a login page in which the user has to fill in his credentials (usually username and password) before he is granted access to the network. Beside authentication and authorization of the customers, the WISPs also provide web payment service for example for digital content. Such web payment services can be billed to Internet service provider (ISP), telephone company or credit card accounts. WISPs often also supports micropayments to charge the account at the end of the month.
In the state of the art, access authentication and authorization to Public WLAN is predominantly based on the mentioned UAM and WISPr, both being HTTP based and therefore requiring the mobile device to gain IP access to the infrastructure (see FIG. 2). UAM and WISPr are solely provisioned for username/password authentication, not for SIM or certificates based authentication. Therefore there are serious obstacles when realizing real roaming based on today's UAM and WISPr, e.g. operators are forced to use username/password if they want roaming, which is very inconvenient for certain type of operators (e.g. GSM) that are used to work with smart cards. On the other side, mobile WiMAX is based on EAP authentication, an IETF (Internet Engineering Task Force) defined standard that generically supports username/password, SIM (subscriber identity module) or smart card and certificate based authentication (see FIG. 1). EAP based authentication is today possible on WLAN by using the IEEE 802.1x standard. 802.1x is however not compatible with UAM and WISPr access. An operator that wants to sell subscription less access to its network (i.e. instant access with payment by credit card) needs the UAM method. An operator that wants to supports both EAP and UAM must therefore have a dual infrastructure that broadcast e.g. two SSIDs (Service Set Identifier), and is a rather cost-intensive investment. As mentioned, IEEE 802.1x can be used for authentication of a user within a wireless LAN. 802.1x is an open source IEEE protocol from the Institute of Electrical and Electronics Engineers Standards Association. The IEEE 802.1x authentication permits authenticated access to IEEE 802 media such as, for example, Ethernet, Token Ring and/or 802.11 wireless LAN. The 802.11 protocol generates for wireless LAN, i.e. for wireless local networks, a 1 Mbps, 2 Mbps or 11 Mbps transmission in the 2.4 GHz band, whereby either FHSS (Frequency Hopping Spread Spectrum) or DSSS (Direct Sequence Spread Spectrum) is used. For authentication, 802.1x supports authentication EAP (Extensible Authentication Protocol) and EAP-TLS (Wireless Transport Layer Security, RFC 2716 (PPP EAP TLS Authentication Protocol)). As a generic authentication scheme, EAP hides to the visited network the type of credentials that are being used by the home operator. Implementation of EAP include EAP-SIM (EAP for Global System for Mobile Communications (GSM) Subscriber Identity Module (SIM), RFC 4186), EAP-AKA (Extensible Authentication Protocol Method for UMTS Authentication and Key Agreement, RFC4187), EAP-TLS, EAP-TTLS (EAP-Tunneled Transport Layer Security). 802.11 also supports RADIUS. Although the RADIUS support is optional in 802.1x, it is to be expected that most of the 802.1x authenticators will support RADIUS. The IEEE 802.1x protocol is a so-called port-based authentication protocol. It can be used in every environment in which a port, i.e. the interface of a unit, can be specified. With the authentication based on 802.1x, three units can be differentiated: the unit of the user (supplicant/client), the authenticator and the authentication server. It is the role of the authenticator to authenticate the supplicant. Authenticator and supplicant are connected, for example, via a point-to-point LAN segment or a 802.11 wireless LAN. Authenticator and supplicant have a defined port, a so-called Port Access Entry (PAE), which defines a physical or virtual 802.1x port. The authentication server generates the authentication services required by the authenticator. In this way it verifies the entitlement data supplied by the supplicant regarding the assumed identity.
UAM authentication to access a wireless network is based on the concept of a “Walled Garden”, as shown in FIG. 2. A walled garden is a “reversed” intranet that prevents a device connected within the walled garden from accessing the Internet prior to being authenticated. This technique, unlike 802.1x, allows the device to bring up all networking layers, including layer 3 (i.e. IP layer) prior to being authenticated and charged for the session. The interest of this technique is that a Web server in the walled garden can be used to perform different types of authentication, including authentication via browser and payment by credit card (not possible with 802.1x). UAM authentication is very popular because of this possibility of paying directly at a hotspot without the need of a subscription.
WISPr (Wireless Internet Service Provider roaming) is a Web based login standard (UAM) for client software. WISPr 1.0 was released in February 2003 by the Wi-Fi Alliance. Annex D of the WLAN recommendation describes an XML over HTTP protocol between client software on a personal computer (PC) or mobile phone to allow a username/password authentication toward a Wi-Fi hotspot. The protocol consists of an exchange of XML elements (similar to the Simple Object Access Protocol (SOAP)) in which the client (i.e. the software on the mobile device) exchanges information with a Web server (the WLAN hotspot) to open a WLAN session and later on to terminate a WLAN session. XML (eXtensible Markup Language) is a format and grammar to structure data, specified by the W3C consortium. SOAP is a remote procedure call protocol working over XML, also specified by the W3C consortium (World Wide Web Consortium). FIGS. 2 and 5 shows the state of the art according to WISPr specification Annex D. The client in FIG. 5 comprises the client software. The Gateway is the WISPr server 23 (FIG. 2) on the visited WLAN network. The AAA is the authentication server 22 at the home operator. WISPr defines the leg (see FIG. 5) between Client 10 and Gateway 23. The leg between Gateway 23 and AAA 22 is Radius or Diameter. In the state of the art, the authentication servers are usually based on RADIUS (Remote Authentication Dial-In User Service) of the IETF (Internet Engineering Task Force). The use of the RADIUS authentication protocol and accounting system is widespread in network units such as, for example, routers, modem servers, switches, etc., and is used by most Internet service providers (ISPs). If a user dials into an ISP he/she has to enter normally a user name and password. The Radius server verifies this information, and authorizes the user for access to the ISP system. The reason for the widespread use of RADIUS lies among other things in that network units cannot generally cope with a large number of network users each with different authentication data, since this would exceed, for example, the storage capacity of the individual network units. RADIUS permits the central administration of a multiplicity of network users (addition, deletion of users, etc.). This is therefore a necessary prerequisite of the ISPs (Internet Service Providers) for their service because their number of users often amounts to several thousand to several tens of thousands. RADIUS further generates a certain permanent protection against hackers. The remote authentication by RADIUS based on TACACS+ (Terminal Access Controller Access Control System+) and LDAP (Lightweight Directory Access Protocol) is relatively secure against hackers. Many other remote authentication protocols, in contrast, have only temporary or insufficient or no protection against hacker attacks at all. Another advantage is that RADIUS is at present the de-facto standard for remote authentication, RADIUS also being supported by nearly all systems, which is not the case for other protocols.
In the state of the art, the WISPr specification defines a XML scheme used to submit the user credentials, poll for the authentication result, etc. It should be noted that induced by shortcomings through new demands in wireless technology the Wireless Broadband Alliance is looking at further developing the WISPr standard. At the present time, WISPr Annex D is a de-facto standard in the WLAN telecom industry. It is estimated that over 90% of the commercial hotspots networks implement WISPr Annex D as an access method. In connection with WISPr, IPASS has to be mentioned. IPASS is a commercial company that unifies the management of remote and mobile devices and connectivity. IPASS has been a key contributor to the WISPr specification. IPASS had fore a long time its own proprietary scheme called GIS (Generic Interface Specification). WISPr is more or less a copycat of GIS.
The Extensible Authentication Protocol (EAP) (RFC 3748) was developed by the IETF (Internet Engineering Task Force) to create a generic authentication protocol that supports different type of credentials (username/password, certificates, SIM cards, etc.). EAP was invented to allow a generic support of authentication on a visited network without having to worry and update the infrastructure each time that a new authentication is used. The Extensible Authentication Protocol (EAP) is in reality an extension of the PPP (Point-to-Point Protocol) and is defined by the Request for Comments (RFC) 2284 PPP Extensible Authentication Protocol (EAP) of the IETF. By way of PPP a computer can be connected to the server of an ISP, for example. PPP works in the data link layer of the OSI model, and carries the IP packets of the computer to the server of the ISP that forms the interface to the Internet. In contrast to the older SLIP protocol (Serial Line Internet Protocol), PPP functions more stably and has error correction facilities. As mentioned, the extensible authentication protocol EAP is a protocol on a very general level that supports diverse authentication methods such as, for example, token cards, Kerberos of the Massachusetts Institute of Technology (MIT), strike off passwords, certificates, public key authentication and smart cards or the so-called Integrated Circuit Cards (ICC). IEEE 802.1x defines the specifications such as EAP that must be integrated into LAN frames. With communication in wireless networks via EAPs, a user requests from an access point, via wireless communication, i.e. a connection hub for the remote access client or supplicant to the WLAN, access to the wireless LAN. The AP then requests from the supplicant the identification of the user, and transmits the identification to the above-mentioned authentication server, that is based, for example, on RADIUS. The authentication server allows the Access Point to recheck the identification of the user. The AP collects this authentication data from the supplicant and transmits these to the authentication server, which terminates the authentication method. EAP is the chosen method for WiMAX authentication. The 3rd Generation Partnership Project (3GPP) has also adopted this standard for the convergence of GSM (Global System for Mobile communications) to the IP (Internet Protocol) technology. EAP is encapsulated in the mentioned “transport” protocols: PPP (Point-to-Point Protocol, IETF RFC), Radius (RFC 2869) and Diameter as computer networking protocol for AAA (Authentication, Authorization and Accounting). A secure version of the IEEE 802.11 standard (WLAN), called 802.1x, uses EAP as an authentication mechanism. Very few WLAN hotspot networks have however deployed 802.1x because this method inherently prevents a user from purchasing an Internet access via credit card (i.e. it is not possible to offer a UAM access over 802.1x). A few operators in the state of the art, such as Swisscom, have deployed a dual infrastructure that offers both UAM over 802.11 and EAP over 802.1x. This is achieved by broadcasting two signals and having a dual infrastructure. This option is however costly and many operators that have today UAM over 802.11 are reluctant to upgrade to a dual infrastructure because of the costs.
EAP was originally designed to run over PPP (Point to Point Protocol) with the limitation of a single IP hop between the device and the NAS. To overcome this limitation, L2TP was specified (RFC 2661, RFC 3931). L2TP emulates a link segment over an IP network, providing a PPP layer over multiple IP hops. L2TP (Layer Two (2) Tunneling Protocol) is an extension to the PPP protocol that enables Internet service providers (ISP) to operate Virtual Private Networks (VPNs). L2TP merges the features of two other tunneling protocols: PPTP (Point-to-Point Tunneling Protocol) from Microsoft and L2F (Layer Two Forwarding) from Cisco Systems. Like PPTP, L2TP requires that the ISP's routers support the protocol. L2TP can be used as an alternative to an EAP over WISPr. This would however require that the device implements L2TP and that the NAS (Network Access Server) implements L2TP. All traffic between the device and the NAS would then be tunneled, increasing the overhead. The software changes in the client software and the NAS would be a lot more significant than for the proposed invention. The NAS is the access gateway between an external communications network and an internal network, also referred to as “walled garden”. The Internet service providers (ISP) use the NAS to give access to the Internet after the user has been authorized by the access server, when he requests access to the network.
Other firms as Comfone AG and Service Factory AB have developed in 2004 a solution that allows a two-phase EAP type of authentication over a WISPr enabled hotspot (see FIG. 6). The two-phase scheme of this technical solution is illustrated in FIG. 6, with a first phase comprising an EAP authentication process. A one-time username/password is generated out of this phase, and the client software then proceeds with a normal WISPr login to open the WLAN session. FIG. 6 illustrates such a WISPr EAP authentication. This method has different drawbacks: First, there is a need for a special configuration at the WISP network to allow phase 1 authentication prior to the standard phase 2 authentication. Second, there is a need for the client software to implement a proprietary phase 1 protocol. Third, the two-phase approach introduces additional delay in the authentication.
With the coming of mobile WiMAX there is a need of inter-technology roaming, so that a WiMAX subscriber may roam on a WLAN hotspot with the same credentials. While this is today possible if the credentials are a username and password, there is not easy convergence if the credentials are a SIM or certificates. The WISPr EAP-SIM method (SIM authentication over the EAP protocol. IETF RFC 4186) that was developed suffers the complexity and drawbacks mentioned above.